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: ' Abstract 

O ' We give a new treatment of the 7r-calculus based on the semantic theory of separation logic, 

continuing a research program begun by Hoare and O'Hearn. Using a novel resource model that 
distinguishes between public and private ownership, we refactor the operational semantics so that 
sending, receiving, and allocating are commands that influence owned resources. These ideas lead 
^ , naturally to two denotational models: one for safety and one for liveness. Both models are fully 

. abstract for the corresponding observables, but more importantly both are very simple. The close 

■ connections with the model theory of separation logic (in particular, with Brookes's action trace 

' model) give rise to a logic of processes and resources. 

^ ■ Names play a leading role in the 7r-calculus [12]: they are both the means 

of communication, and the data communicated. This paper presents a study 
of the vr-calculus based on a new mechanism for name management, which is 
in turn rooted in separation logic. The main benefit of this study is a very 
^ I simple — but fully abstract — denotational semantics for the yr-calculus. 

Traditionally, the use of names in the vr-calculus is governed by lexical, 
but dynamically-expandable, scope. In the composite process P|new x.Q for 
example, the channel x is by virtue of scope initially private to Q. The 
prefix new x is not an imperative allocation. It is a binder that remains 
fixed as Q evolves — a constant reminder that x is private — until Q sends x 
in a message. At that point, the binder is lifted to cover both P and Q, 
dynamically "extruding" the scope of x. The yr-calculus relies on a-renaming 
and side conditions about freshness to ensure that its privacy narrative is 
borne out. 

In contrast, work on separation logic has led to models of dynamically- 
structured concurrency based on resources and ownership, rather than names 
and scoping [3,5]. From this perspective, programs consist of imperative com- 
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mands that use certain resources (their "footprint") while leaving any ad- 
ditional resources unchanged. Concurrent processes must divide resources 
amongst themselves, with each process using only those resources it owns. 
Ownership makes it possible to constrain concurrent interference, and thereby 
to reason compositionally about process behavior. 

In this paper, we reanalyze the 7r-calculus in terms of resources and own- 
ership, establishing a clear connection with models of separation logic. The 
analysis hinges on the use of resources to specify not just that a process can 
do something, but that other processes cannot. ^ Concretely, channels are 
resources that can be owned either publicly or privately. Public ownership 
asserts only that a channel can be used by the owning process. Private owner- 
ship asserts moreover that a channel cannot be used by other processes. And 
the prefix new x becomes an imperative action, allocating an initially private 
channel. 

Armed with this simple resource model, we give a new operational se- 
mantics for the TT-calculus (§1). The semantics is factored into two layers. 
The first layer generates the basic labeled transitions, without regard to their 
global plausibility. The second layer then uniformly interprets those labels as 
resource transformers, filtering out implausible steps. The two-layer setup is 
reminiscent of Brookes's semantics for concurrent separation logic [3,2], and 
allows us to blend message-passing and imperative interpretations of actions. 

More importantly, the resource model also enables a very simple denota- 
tional treatment of the 7r-calculus. We give two denotational interpretations, 
both trace-theoretic. The first (§2) captures safety properties only, while the 
second (§3) is also sensitive to divergence and some branching behavior, along 
the lines of the failures/divergences model with infinite traces [18]. We prove 
that each model is fully abstract with respect to appropriate observables. 

The semantic foundation reconciles the model theory of separation logic 
with the TT-calculus; what about the proof theory? We sketch an integration 
of separation logic with refinement calculus for processes (§4). Refinement is 
justified by the denotational semantics, so the calculus is sound for contextual 
approximation. Resource reasoning allows us to derive an interference-free 
expansion law that uses privacy assertions to rule out interference on a channel. 

To provide an accurate model of the yr-calculus, public/private resources 
must be conservative in a certain sense: once a resource has been made public, 
it is impossible to make it private again. Work in separation logic has shown 
the usefulness of more "aggressive" resource models that capture not just what 
can and cannot be done, but assert that certain things may not be done. We 
sketch a few such aggressive resource models (§5.1), including an interpretation 
of fractional permissions [1] and of session types [10]. 



Such a reading of resources has aheady appeared in e.g. deny-guarantee reasoning[6]. 
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Hoare and O'Hearn initiated a study of a yr-calculus-like language in terms 
of separation logic semantics [9]. That study provided the impetus for our 
work, which goes farther by (1) handling the full calculus, (2) handling live- 
ness, (3) proving full abstraction and (4) building a logic on the semantics. 
There have also been several fully abstract models of the vr-calculus [20,8,7] 
based on functor categories for modeling scope. Our models complement these 
by providing an elementary account of behavior, structured around resources 
and abstract separation logic. A full discussion of related work is in §5.2. 

1 A resource-driven operational semantics 

There are many variants of the 7r-calculus; here's ours: 

P ::= E7r,.Pi | P®Q \ new x.P | P\Q \ rec XP | X 
TT ::= ee' \ e{x) e ■■■■= x \ c 

We distinguish between external choice (+) and internal choice (©), which 
simplifies the liveness semantics (§3) but is not essential. We also distinguish 
between channels (c, d) and channel variables (x, z) and include a simple 
grammar of channel expressions (e) ranging over both. A closed process has 
no unbound channel or process variables. Closed processes may, however, refer 
to channel constants and thereby communicate with an environment. 
We write for an empty summation, which is an inert process. 

1.1 Generating actions 

The operational semantics of closed processes is given in two layers, via two 
labelled transition systems. In both systems, the labels are (syntactic) actions, 
given by the following grammar: 

a ::= c\d I eld \ PC \ T \ i (Action) 

Actions record the concrete channels involved in sending, receiving, and al- 
locating, respectively. The action r, as usual, represents an internal (unob- 
servable) step on the part of the process. The action f represents a fault, 
caused by using an unowned channel (§1.2). Communication actions are dual: 
c\d = eld and eld = c\d, while Fc, r, and f are undefined. 

The first transition system generates all conceivable actions associated with 
a process, without considering whether those actions are globally plausible: 
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ex. 

Operational semantics: action generation P — > Q 

■■■ + cd.P + --- ^ P P^P' Q^Q' 



+ C{X).P + - ^ P{dlx} p\QJ^p'\Q p\Q^p\Q' 

P,®P2 Pi 

new x.P ^ P{c/x} P ^ P' Q ^ Q' 



rec X.P P{rec X.P/X} P\Q ^ P'\Q' 

According to this semantics, we will have transitions like 

uc uc c!c 

new x.new y.xy.O — > new y.cy.O — > cc.O — > 

where c is allocated twice, and used to communicate with an environment that 
cannot know it. To filter out such executions, we use resources. 

1.2 Resources and action semantics 

The execution above is intuitively impossible because, after the first pc action, 
the process already owns the channel c. Similarly, for the process new x.xx.O 
the trace 

— ^ lyc _ c\c 

new x.xx.O — > cc.O — > 

is impossible because the channel c, having just been allocated, is unknown to 
the environment — so no parallel process could possibly be on the other side 
of the communication, receiving along c. 

Formally, resources are elements a of the domain S = Chan ^ {pub, pri}, 
where pub and pri are distinct atoms. If a process is executing with resources 
a, it owns the channels dom(cr), and a{c) tells, for each c, whether that 
ownership is exclusive. Therefore, if c e dom(cr), the action uc is impossible. 
Likewise, if cr(c) = pri, the action c!c is impossible. 

The resources owned at a particular point in time determine not only 
what is possible, but also what is permissible. For example, the process cd.O 
immediately attempts a communication along the channel c. If this channel is 
not allocated {i.e., not owned, i.e., not in dom(cr)) then the process is faulty: 
it is attempting to use a dangling pointer. 

We interpret actions a as resource transformers of type E -> S{. ^ Since 
all nondeterminism is resolved during the generation of actions, these trans- 
formers are deterministic. A result of T or i represents that an action is not 
permissible or not possible, respectively. 



^ The notation denotes the set {E, T, i} and impUes an ordering 1 < a <J for all cr e E. 
The order structure follows abstract separation logic [5], and is related to locality (§2). 
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Given the semantics l\a\) : S ^ S{ of actions (defined below), we can define 
a transition system that executes actions according to the currently-owned 
resources: 

Q/ 

Operational semantics: resource sensitivity P, o — > P', a' 



P^P' 



[\a\]a = cr 



P^P' 



a)a = T 



a 



P'a' 



P,a^O,a 



Successful actions proceed normally, updating the owned resources — note that 
if (\a\)a - a' then in particular (\a\)a 4^ T,i. Impermissible actions noisily fail, 
generating the faulting label f . Impossible actions silently fail to occur. 
The semantics of actions is as follows: 



Action semantics 



T 

a[d pub] 

i 



{c, d} ^ dom(cr) 
cr(c) = pub 
otherwise 



cr[c pri] c i dom(cr) 
i otherwise 



[T a 



T ci dom((T) 

a[d pub] cr(c) = pub, 
a{d) 4^ pri 
1 otherwise 



T 



Allocation is always permitted, but is not possible if the channel is already al- 
located. Allocated channels are initially private. Sending a channel publicizes 
it, but the communication is only possible if performed over an already public 
channel, and only permitted over an allocated channel. A locally-unknown 
channel received from the environment is known to the environment, and 
hence public; a locally-known channel received from the environment cannot 
possibly have been private. 



Examples 

Consider the process new x.O. We have 

new x.O 

for every channel c. It follows that 

new x.O, — > 0, [c 1-^ prij 
for every channel c, while executing with more resources 

new a:.0, [c i-^ pri] ^ 0, [c pri] i±i [d h-> pri] 
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results in constrained allocation: the i±) here denotes disjoint union, meaning 
that ci^ d. The fact that c was already allocated pruned one trace (preventing 
it from taking an impossible step), but introduced no new traces. Similarly, 

new x.xx.u — > cc.U — > U 

but, taking resources into account, we have 

new x.xx.O, ^ cc.O, [c i-^ pri] 

at which point the process is stuck: the action c!c is prevented from occurring, 
because (|c!cD[c i-> pri] = i. This deadlock is exactly what we expect to see when 
a process attempts to communicate along a private channel. Finally, we have 

new x.(xx.O|x(y).^x.O) cc.O|c(y).^c.O 0|cc.O 0|0 

which, with resources, yields 

new x.(xx.O|x(y).yx.O), ^ cc.Q\c{y).yc.Q, [c i-^ pri] 0|cc.O, [c i-^ pri] 

Here we see that internal communication along a private channel is both 
possible and permitted: such internal steps appear as r actions to the resource- 
sensitive stepping relation, and hence always pass through. On the other hand, 
the internal communication also leaves the ownership of c unchanged. Because 
it remains private, the final communication cc is stuck, as it should be. 

1.3 Process safety 

With the simple public/private resource model, faulting occurs only when 
using an unallocated channel. Our semantic framework can accommodate 
deallocation, but doing so complicates the full abstraction result, and we wish 
to focus on the standard vr-calculus. Avoiding deallocation allows us to easily 
characterize "safe" processes: we say a v- Ps/ iff P is closed and all channel 
constants in P are in dom((j), and have: 

Lemma 1.1 If a \- Ps/ then P,a -f, and if P,a P',(t' then a' \- P'-/ . 

2 Denotational semantics: safety traces 

Resources provide an intriguing refactoring of the operational semantics for tt- 
calculus, but their real payoff comes in the elementary denotational model they 
support. We begin with a simple trace model capturing only (some) safety 
properties, which allows us to focus on the role of resources. Afterwards we 
incorporate liveness (§3) and its interaction with resources. 
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For the safety model, we have traces t, trace sets T and behaviors B: 

Trace = Action* Beh = S TraceSet 
TraceSet = {T : c T c Trace, T prefix-closed} 

Processes will denote behaviors: sets of action traces determined by the 
initially-available resources. Not every action is observable. We follow stan- 
dard treatments of vr-calculus [19,8] in considering r steps unobservable, and 
eliding uc steps until just before the allocated channel c is sent over a public 
channel (a "bound send"). Our denotational semantics shows that the op- 
erators of the TT-calculus are congruent for these observables, and the cited 
works prove that similar observables are fully abstract for yet coarser notions 
of observation. The observables of an action a are a (possibly empty) trace, 
depending on the available resources: 

Action observables lal^ : Trace 

- e - i ,,„ iud-cld a(d) = pn 

\vc\^ = e \c?dl = eld otherwise 

We write t-u or tu for trace concatenation, and e for the empty trace. Although 
PC is not immediately observable, taking a vc step affects the resources owned 
by the process, so exposing c later will cause the step to reemerge. 

The behavior of a process can be read from its operational semantics: 
Safety observation OlP\ : Beh 

The goal of the denotational semantics is to calculate the same traces compo- 
sitionally over process structure. 

TraceSet is a complete lattice under the subset order, and behaviors 
inherit this order structure pointwise: we write B ^ B' ii B(a) £ B'(a) for all 
a and have {BuB'){a) = B(a)uB'(a). The semantic operators are monotonic 
(in fact, continuous), so we are justified in defining rec as a fixpoint. For the 
safety semantics, which is based on finite observation, it is the least fixpoint. 

The safety trace model is insensitive to branching behavior of processes [21], 
so internal and external choice are indistinguishable. We interpret both forms 
of choice using u, merging behaviors from all the alternatives. For empty 
summations, u yields the smallest behavior: Acr.je}. 

The denotation function is parameterized by an environment p, here taking 
channel variables x to channels c, and process variables X to behaviors B. It 
uses two additional operators, > and ||, which we will define shortly. 
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Denotational semantics (safety) |P] : Env Beh 



lee'.Pf = 


pelpe' > |Pf 








le(x).Pr = 




[PeQf = 


[Pfu 


IQY 


Inewx.Ff = 






II 


IQY 


IrecX.Ff = 




ixf = 







The interpretation of prefixed processes resembles tlie operational seman- 
tics: each clause of the denotational semantics generates all locally-reasonable 
actions, without immediately checking global plausibility. We use u to join the 
behaviors arising from each action — once more reflecting nondeterminism — 
and we update the environment as necessary. The operator a [> B preflxes an 
action a to a behavior S in a resource-sensitive way, playing a role akin to 
the second layer of the operational semantics: 

Semantic prefixing a \> B : Beh 

{a>B){a) = {at : (la\)a = a' , t e B{a')} u {f : (]at)^ = t} u {e} 

To maintain prefix-closure, we include e as a possible trace. A quick example: 
{new x.xx.oY = U'^c^lxx.Of = □i/c>c!c>|Of = \Juc>dc[>Xa.{e} 

c c c 

This expansion of the definition resembles the traces we see from the first 
layer of the operational semantics, without taking resources into account. The 
denotation, recall, is a behavior: to extract its set of traces, we must apply it 
to some particular resource a. If we use the empty resource, we see that 

y i^c I> c!c > Xa.{e} j (0) = {e} u (J {z/c ■ t : te (c!c > Acr.{e}) [c ^ pri]} 

c / c 

= {e}uU{^c-t : te{e}} 

c 

in other words, we have |new x.xx. of (0) = {e} u \Jc{j^c}. Just as in the 
operational semantics, the fact that (|c!cD[c pri] = 1 prevents the c!c step 
from being recorded. Here, the prefix closure (in particular, the inclusion of e 
in every application of I>) ensures that we see the trace up to the point that 
we attempt an impossible action. 

Finally, we have parallel composition — the most interesting semantic op- 
erator. Here we must ask a crucial question for the denotational semantics: if 
a is the resource belonging to P\Q, what resources do we provide to P and Q7 
The question does not come up in the operational semantics, which maintains 
a single, global resource state, but a compositional semantics must answer it. 
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Consider the process new x.{xc \ x{z)). When the process reaches the 
parallel composition, x will still be private. The privacy of x means that the 
subprocesses can only communicate with each other (yielding r), not with the 
external environment of the process. But the subprocesses are communicating 
with environments external to themselves — namely, each other. That is, x is 
private to xc \ x{z), which cannot communicate along it externally, but it is 
public to the subprocesses xc and x{z), which can. 

Formally, we capture this narrative as follows: 
Semantic parallel composition Bi \\ B2 ■ Beh 



(Bi II B2){a) = UueB^mih II t2)ia) where a(c) 



1 

pub c e dom(cr) 

undefined otherwise 



The resource a given to a parallel composition of behaviors is fed in public- 
lifted form (a) to the composed behaviors, yielding two sets of traces. For each 
pair of traces ti and ^2 from these sets, we calculate all interleavings ti\\t2: 

Trace interleavings t || : Beh 



t \\ u = Xa.{e} a t = e = u 

u a > {f II w) if t = at' 

u a [> {t \\ u') if M = au' 

u t' II u' if t = at', u = au' 



Interleaving at first glance appears standard, but note the use of semantic 
prefixing >: the interleavings are not simply another set of traces, they are 
given as a behavior that must be evaluated. We evaluate with the original 
resources a. The effect is that each interleaving is checked with respect to the 
resources held by the combined process. This additional check is the key to 
making the "declare everything public" approach work, allowing us to take 
into account channels that are private from the point of view of the combined 
process, but public between the subprocesses. 

An example helps illuminate the definitions: take the process dc \ d(z) 
with resources cr = [c i-^ pub] [rf i-^ pri]. It is easy to calculate that 

pc]^(a) = {e,d\c} ldiz)fia) = {e} u {rf?e : e e Chan} 
die II d?c = (die > d?c > Aa.{e}) u (d?c > die > Xa.{e}) u (Aa.{e}) 

The interleaving die \\ die includes the case that d\c and die are two sides of 
the same communication (yielding Acr.je}) and the two possible orderings if 
they are not. From the point of view of a, which has lost the information that 
d is private to the combined process, this is the most we can say. However, 
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the interleaving is built using the prefixing operation O, so when we evaluate 
it with respect to the original a, some traces will be silently dropped: 

(d!c II c/?c)(a) 

= (die > die > Aa.{e})(a) u {die > die > Aa.{e})(a) u (Aa.{e})(a) 
= {6}u{e}u{e} 

In particular, for any B we have {d\e > B){a) = {die I> B)(a) = {e} because 
= pri. We are left only with traces that could arise from internal com- 
munication, as expected. That is, |new x.{xe\x{y))j^ [e pub] = {e}. More 
generally, we can show |new x.{xe\x{y))J'^ a = |0]^o" whenever c e dom(a"). 

Because (\j:\)a = T, we have j t> B = Xa.{j:,e} for any B. Thus, when a i 
action is interleaved, the interleaving is terminated with that action. 

In summary, we calculate the traces of P\Q by calculating the traces of P 
and Q under conservatively public-lifted resources, then evaluating the inter- 
leavings with complete information about what resources P\Q actually owns. 

Example calculations 

Before proving full abstraction, we briefly examine a few of the expected 
laws. For example, why does |new x.O] = |0]? Expanding the former, we get 
Uc I> Acr.je}. When applied to a particular a, this behavior yields the simple 
set {e}, because |z/c|o- = e. This simple example sheds light on the importance 
of action observation | - |: it is crucial for ignoring when, or in some cases 
whether, channels are allocated. 

A more complex example is the following: 

|new x.new y.PY = \_\iyc \> |new y.P}^^^'^'^'^ 

c 

= \Jiye[>\Jud>lPY^''^''^'^''^ 

c d 
c,d 
c,d 

d c 

= |_Ji/(i > |new x.PY^^^'^^ = |new y.nevj x.PY 

d 

The key step is swapping i^c and ud, which relies on the lemma ue > ud \> 
B = ud \> ue \> B. The validity of this lemma, again, relies on observability: 
|z/c|o- = \ud\f^ = e for all cr. 
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2. 1 Congruence for the basic operators 

We prove full abstraction by proving a congruence result for each operator in 
the language. For the operators other than parallel composition, we show: 

Lemma 2.1 (Core congruences) All of the following equivalences on closed 
processes hold: 

(i) om = [Of 

(ii) Olcd.Pj = dd > OlPj 

(iii) C|c(x).P] = UdC?d [>0[P{rf/x}] 

(iv) Ofnew x.Pj = Uc'^c\> C|P{c/x}] 

(V) OlZ,P,j=U^Om 

(vi) 0|P®Q] = 0[PluO[Ql 

These equivalences are straightforward to show; we prove each by show- 
ing containment in both directions. For illustration, we give the proof that 
0[c(x).P]cUrfC?d>(9|P{d/x}l: 

Proof. Let a e E and t e 0|c(x).P]cr. We analyze cases on the derivation of 
teOlc{x).Pja: 



Case: 



e C|c(x).P]a 



Let d he a. channel. Then t = e e c7d > C|P{d/x}] by definition of >. The 
result follows by monotonicity of u. 



Case: 



c{x).P, a - 


^P',a' t'eOlP'ja' 




a^t' € C|c(x).P]a 



Reasoning by inversion, we see that there are two subcases: 
Subcase: 3d.a = c7d, I\c7d\ja = a', P' = P{d/x} 



Then t = at' e UdC?rf > OlP{d/x}j trivially by the definition of >. 
Subcase: a = f, c^dom(o"), P' = 



Then t = at' = i because O|0]c7' = {e}. That f e UdC?rf > C[P{d/x}| again 
follows easily by the definition of >. □ 
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2.2 Congruence J or "parallel composition 

The justification of our treatment of parallel composition goes back to the 
intuitions from the beginning of the paper: concurrent process must divide 
resources amongst themselves, with each process using only those resources it 
owns. We say a separates into (Xi and 02 if the following conditions hold: 

Parallel separation (c^i II cr2) £ S 



o e (cTi II 0-2) 



dom((T) = dom(cri) u dom(cr2) 

a"i(c) = pri =^ a(c) = pri, c ^ dom(cr2) 

cr2(c) = pri => a"(c) = pri, c^dom(cTi) 



We understand this definition as saying: if a\ and 02 are resources sepa- 
rately held by P and Q respectively, then a is possibly the resource held by 
P\Q. The subresources cr^ do not uniquely determine a combination a because 
resources public to the subprocess may, or may not, be private to the com- 
bined process. ^ Separation crisply captures the desired meaning of public and 
private ownership: if one subprocess owns a resource privately (c"i(c) = pri), 
then the other subprocess does not own the resource at all (c i dom(cr2)), but 
both processes may own a resource publicly. 

To show that that C|Pi|P2l = C[Pil ||C[P2l, we must show that our strat- 
egy of interleaving traces from publicly-lifted resources agrees with the global 
operational semantics. A key idea is that a e ai \\ a2 constitutes an invariant 
relationship between the resources owned by subprocesses (in the denotational 
semantics) and those owned by the composite process (in the operational se- 
mantics). The invariant holds initially because a ea \\a. 

The unobservability of uc steps complicates matters somewhat: it means 
there is an additional perspective on resources — call it ciden — owned by a com- 
posite process. Generally, (Jden underestimates the true resources a of the 
operational semantics. Consider the denotational interleaving of two traces ti 
and t2 from subprocesses Pi and P2 respectively. If Pi allocates a channel, 
that allocation does not appear immediately in ti, and hence does not appear 
immediately in the resources CTden of the interleaving, while it would appear 
in a operationally. During denotational interleaving, the same channel can 
even be owned privately in both ai and a2. The key observation here is that 
either both subprocesses eventually reveal a given private channel — in which 
case the denotational interleaving is filtered out — or at least one subprocess 
does not — in which case its choice of channel is irrelevant. Altogether, the 



^ This means that E with || docs not form a separation algebra [5]; see §5.1. 
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four resources — (Top, (Xden, en, and (T2 — are always related: 

2^(crop,Crdcn,(Ti,(J2) - (7"op e 0"! || Cf2, CTdcn = 0"op ^ {c : Cri(c) = pri V (J2(c) = pH} 

Validating parallel composition requires another important lemma, locality 
from abstract separation logic [5]."' 

Lemma 2.2 (Locality) If a e ai \\ 02 then 

• if l\a\ja = T then l\a\)ai = J, and 

• if daDo" = a' then (|aDai = T or (\a\)ai = a-[ for some a[ with a' e a[ || a2. 

The lemma characterizes the transformations an action can make given 
some composite resources a in terms of its behavior on subresources ai. Pro- 
viding additional resources can never introduce new faults, and if the action 
does not fault given just ai resources, then the changes it makes to a must 
only change the cti portion (framing). 

Locality was introduced to characterize the frame rule of separation logic [5], 
but we use it here to characterize interleaving steps in parallel composition. 
We have a related lemma for internal communication steps: 

Lemma 2.3 (Communication) If a e ai \\ (T2, ^a^cri = crj and I\a\)a2 = cr'2 
then a e a[ || o-g. 

We prove each direction of congruence separately: 

Lemma 2.4 //X(crop, cr^^en, cti, (T2), cri\-Pis/' and t e OlPi\P2}a'op then 
t e (ti II t2)(a-den) for some ti e OlPijai. 

Lemma 2.5 If I{aop,(Tden, (^1,0-2), (^i v- Pi^ , ti e OlPijai, and 
(ti II t2)iaden) then t € OlPi\P2j 

The first of these two lemmas is easier to prove, because we are given 
a trace t derived from the operational semantics of the composite processes. 
This means that the subprocesses are guaranteed not to independently allocate 
the same channel. The second lemma requires more care, using the insights 
mentioned above about renaming unexposed channels. 

The assumptions cTj 1- PjN/" are needed to ensure that the processes we are 
working with do not fault. The reason that faulting is problematic is seen in 



^ For simplicity we avoid the order-theoretic definition here, which requires hfting some of 
our constructions to 2^ in a way that is not otherwise usefuL 
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the following example: 

new x.cx.O \ c{y).cy.dy.O), [c i-^ pub] 

— > cd.O \ c(y).cy.dy.O, [c i-> pub, rf i-^ pri] 
0\cd.dc.O, [c 1-^ pub, (i 1-^ pri] 

c\d — 

-f 0\dc.O, [c i-> pub, c/ 1-> pub] 

die 

-> I 0, [c i-> pub, c? i-> pub] 

The uncomfortable aspect of this derivation is that the channel d occurred in 
the process initially, even though it was not owned. As a result, the process 
was able to allocate d, in a sense falsely capturing the constant d that initially 
appeared. In cases where the process allocates a different channel than d, it 
will fault when it attempts to communicate along the constant channel d. But 
in this "lucky" case, the operational semantics allows communication along 
the constant channel. 

The denotational semantics, however, always generates a fault. It com- 
putes the traces compositionally, meaning that a channel d allocated by one 
subprocess is not immediately available for use by a parallel subprocess. 

Our full abstraction result applies only to nonfaulty processes, which, for- 
tunately, is a trivial syntactic check. However, this does limit its applicability 
to languages that include features like deallocation, which makes checking for 
safety more difficult. 

2.3 Full abstraction 

To complete the proof of full abstraction, we must deal with recursion. We 
begin with the usual unwinding lemma, proved in the standard syntactic way: 

Lemma 2.6 (Unwinding) We have Ofrec X.PJ = IJnOfreCnX.Pj, where 
recoX.P = rec X.X and rec„+iX.P = P{reCnX.P j X) . 

We also have the standard substitution lemmas: 

Lemma 2.7 (Substitution) We have |P[g/X]f = |pf [^^^1 and 
lP[clx]f = lPt-^\ 

Combined these lemmas with the previous congruence results, it is straightfor- 
ward to show the following theorem relating the observed operational traces 
to those calculated denotationally: 

Theorem 2.8 (Congruence) If P closed and a^P^ then C|P]a = {Pf a. 

To prove this theorem, we must generalize it to deal with open terms. We 
do this by introducing a syntactic environment 77 as a finite map taking chan- 
nel variables to channels and process variables to closed processes. Given a 
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syntactic environment 7] the corresponding semantic environment rf is given 
by: 

m^) = vix) mx) = oMx)j 

We write r]P for the apphcation of as a syntactic substitution on P. The 
needed induction hypothesis for congruence is then 

if CT K 7]P^ then Ol7]Pja = |Pf a. 

Define P =den Q iff iPf = IQf ^ for all a such that a k Pv^ and a h QsT. 
Likewise, let P =op Q iff C|C[P]]a = C|C[Q]](t for all contexts C with 
a \- C[P]'/ and a \- C[Q]s/ . Full abstraction follows by compositionality: 

Theorem 2.9 (Full abstraction) P =den Q iff P =of Q- 

3 Denotational semantics: adding liveness 

To round out our study of vr-calculus, we must account for liveness proper- 
ties. Liveness in process algebra appears under diverse guises, differing in 
sensitivity to branching behavior and divergence [21]. Each account of live- 
ness corresponds to some choice of basic observable: given a process P and a 
context C, what behavior of C[P] matters? 

The standard observable for the vr-calculus is barbed bisimilarity [13], 
which sits quite far on the branching side of the linear-branching time spec- 
trum [21]. Here, we choose a treatment more in the spirit of linear time: an 
adaptation of acceptance traces [8]. This choice is partly a matter of taste, but 
it also allows us to stick with a purely trace-theoretic semantics, which keeps 
the domain theory to a minimum. We do not see any immediate obstacles to 
applying our resource-based handling of names to a branching-time semantics. 
Branching sensitivity and resource- sensitivity seem largely orthogonal, though 
of course branches may be pruned when deemed impossible given the owned 
resources. 

3.1 Liveness observables 

We say that a process diverges if it can perform an infinite sequence of un- 
observable {i.e., internal) steps without any intervening interactions with its 
environment — which is to say, the process can livelock. On the other hand, a 
process that can make no further unobservable steps is blocked (waiting for 
interaction from its environment). 

The basic observables in our model are: 

• A finite sequence of interactions, after which the process diverges or faults; 

• A finite sequence of interactions, after which the process is blocked, along 
with which channels it is blocked on; and 
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• An infinite sequence of interactions. 

Notice tliat we liave conflated divergence and faulting: we view both as er- 
roneous behavior. In particular, we view any processes that are capable of 
immediately diverging or faulting as equivalent, regardless of their other po- 
tential behavior. This perspective is reasonable — meaning that it yields a 
congruence — because such behavior is effectively uncontrollable. For exam- 
ple, if P can immediately diverge, so can P\Q for any Q. 

Formally, we add a new action 5a which records that a process is blocked 
attempting communication along the finite set of directions A: 

a ■■:= ••• I (5a Acg^DlR={c! : ceCHAN}u{c? : ceCHAN} 

We then define 

LTrace = NTAcTiON*;{i,5A} u NTAction'^ LBeh = e 2^^'^'"^^ 

where NTAction (for "non-terminating action") refers to all actions except 
for i or blocking actions 5a- Thus finite liveness traces must end with either 
a 5a action or a f action, whereas neither of these actions can appear in an 
infinite trace. 

Each liveness trace encompasses a complete behavior of the process: either 
the process continues interacting indefinitely, yielding an infinite trace, or 
diverges, faults or gets stuck after a finite sequence of interactions. Therefore, 
sets of liveness traces are not prefixed-closed. 

As with the safety traces, we can observe liveness traces from the opera- 
tional semantics. However, we do so using the greatest fixpoint of the following 
rules: 

Liveness observation >C(9|P] : LBeh 



a 



a + i t e miP'\o' P,a^ P,a blocked A 

■gfp 7 — T^^rTTi^gfp — — gfp 



a\^teCOlPja U COlPja SA^COlPja 

where P,a blocked A means that P,a can only take communication steps, 
and A contains precisely the directions of available communication. Since 
the owned resources influence which communications are possible, they also 
influence the directions on which a process is blocked: 

6{c\} e COlcc.0j[c K> pub] §0 e COlcc.0j[c ^ pri] 

The action S0 reflects a completely deadlocked process, and is for example the 
sole trace of the inert process 0. 

Defining the observations via a greatest fixpoint allows for infinite traces 
to be observed, but also means that if a process diverges after a trace t, its 
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behavior will contain all traces tu, in particular tj. For example, suppose 
P,a —> P, a. If t is any liveness trace whatsoever, we can use the first infer- 
ence rule to show, coinductively, that t e £(9|P|o". We merely assume that 
t e £(9|P]cr, and derive that |r|o-t = t e COlPja. Thus, divergence is "catas- 
trophic" (as in failures/divergences [4]). 

An important step toward making these observables coherent is the notion 
of refinement. In general, saying that P refines Q (or P "implements" Q) is 
to say that every behavior of P is a possible behavior of Q. In other words, P 
is a more deterministic version of Q. We define a refinement order on traces: 

t^t t5A^ tdA' if A' c A tu^ 

which we lift to sets of traces as: T ^ U iff yt e T. 3u e U. t ^ u. This notion 
of refinement, which closely follows that of acceptance traces [8], says that 
an implementation must allow at least the external choices that its specifi- 
cation does. It also treats faulting as the most permissive specification: if 
Q faults, then any P will refine Q. Moreover, any two immediately-faulting 
processes are equivalent. Since faulting and divergence are treated identically, 
the same holds for divergent processes. Thus, the simple refinement order- 
ing on traces has an effect quite similar to the closure conditions imposed in 
failures/divergences semantics. 

The ordering on trace sets inherits the complete lattice structure of 2^"'"'*'^™, 
as does the pointwise order on LBeh. We again exploit this fact when inter- 
preting recursion. 

3.2 Liveness semantics 

To complete the semantic story, we need to interpret blocking actions. We 
define 



T 3c. (c! € A V c? e A) A c ^ dom(cr) 
a otherwise 
I^aIct - 5a' where A' = A I' {c : a{c) = pub} 



which shows the interaction between resources and blocking: blocking on a 
private resource is possible, but unobservable {of. projection on 6 in [2]). For 
example, we have 

(l'^{d}^[c ^ pub] = [c^ pub] \S{d}\[c^puh] = S{c\} 

<\^{c\}\)[c ^ pri] = [C ^ pri] |(5{c!}|[cH.pri] = ^0 



The denotational semantics for liveness, -^l-J, is largely the same as that 
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for safety, except for the following clauses: 

£|rec X.Pf = uB.ClPf^^^^^ 

Recursion is given by a greatest fixpoint, as expected. A summation of prefixed 
actions now generates a corresponding blocking set, recording the external 
choice (where dir extracts the direction of a prefix). The blocking action is 
"executed" using the prefixing operator > so that the actual observed action 
corresponds to the available resources, as in the example above. 
Finally, we use the following definition of interleaving: 

t II u =gfp a \> {t' II u) ii t = at', a not blocking 
u a > (t II u') if M = au', a not blocking 
u 5auA' ift = (5A, u = 5a', a I A' 
u t' II u' if t = at', u = au' 

Liveness interleaving is given by a greatest fixpoint. An infinite sequence 
of internal communications (operationally, an infinite sequence of r moves) 
therefore yields all possible traces, including faulting ones, as it should. An 
interleaved trace is blocked only when both underlying traces are, and only 
when they do not block in opposite directions (A is A with directions reversed, 
and rli denotes empty intersection). If two processes are blocked in opposite 
directions, then their parallel composition is in fact not blocked, since they 
are willing to communicate with each other (c/ stability [4]). 

3.3 Full abstraction 

The proof of full abstraction is structured similarly to the proof for the safety 
semantics. Congruence proofs must take into account blocking actions, which 
is straightforward in all cases except for parallel composition. There, we re- 
quire a lemma: 

Lemma 3.1 (Blocking congruence) Suppose X[a op, crueni^^ii (^2)- Then 

' I/Sa, e COlP.ja, and Ai | A^ t/ien {Sa.uA.I,^^ ^ C0lPi\P2ja,p. 

• //5a e COlPi\P2j(rop then 5a, e COlPijai for some Ai, A2 with Ai | A^ 

and I^AiuAaUto, = ^A- 

Defining =lden and =lop analogously to the safety semantics, we again 
have full abstraction: 

Theorem 3.2 (Full abstraction) P =lden Q iff P =lop Q- 
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4 Logic 

We now sketch a logic for reasoning about the safety semantics of processes. 
The logic proves refinement between open processes — denotationally, trace 
containment; operationally, contextual approximation. The refinements are 
qualified by assertions about owned resources, which is what makes the logic 
interesting. The basic judgment of the logic is F i- p ► P E Q, which says the 
traces of P are traces of Q, as long as the initial resources and environment, 
respectively, satisfy assertions p and T (defined below). 
Resource assertions p are as follows: 

p ::= true I false | pAq | pvq | p*q \ x pub | a: pri | x = y | x i= y 

and we let x known = x pub vx pri. Satisfaction of assertions depends on both 
the environment and resources, as in these illustrative cases: 

p,a\= X pub = a{p{x)) = pub 

p,cr \= pi*p2 = 3ai,(72.a = o"! ty (72 and p, Oi 1= pi 

Resource assertions like a; pub are intuitionistic [17]; without deallocation there 
is no reason to use the classical reading, which can assert nonownership. We 
are using the standard interpretation of separation logic's * as disjoint sepa- 
ration to enable sequential reasoning about resource transformers in our logic. 
Action interpretations (|aD are local with respect to just as they were for ||. 
Environment assertions F constrain process variables: 

F ::= I F, (p^XeP) 
P^(p-XeP) = Va. (p,a^p) ^ p(X)(a)c|Pf a 

The definition of entailment is thus: 

T^p^P^Q = yp,a. {p^T A p,a^p) ^ iPfa^lQfa 

By qualifying refinements by resource assertions we can incorporate Hoare 
logic- like reasoning. Take, for example, the rule 

T \- p * (x pub A y pub) *■ P ^ Q 
r \- p * {x pub A y known) ► xy.P E xy.Q 

for sending over a public channel. It is a kind of congruence rule, but we shift 
resource assumptions for the subprocesses, corresponding to the Hoare triple 



{p * (x pub A y known)} xy {p * {x pub a y pub)} 
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The syntactic structure of prefixes (rather than sequential composition) pre- 
vents a clean formulation of the logic using Hoare triples. This is why the 
frame p is included, rather than added via a separate frame rule; we are using 
"large" rather than "small" axioms [15]. A better treatment is possible if we 
semantically interpret prefixing as sequential composition, which requires a 
variables-as- resources model [16]. 

For sending over a private channel, we have an axiom: xy.P refines any 
process when x is private, because 'xy.P is stuck. The corresponding Hoare 
triple is {x pri Ay known} xy {false}. 

Here is a fragment of the logic, focusing on resource-sensitive rules: 
A selection of logical rules for safety behavior V \- p *■ P ^ Q 

T \- p* {x pub A y pub) *■ P ^ Q 



r }- p * {x pub A y known) ► xy.P E xy.Q T \- x pri a known ► xy.P E Q 
T \- {p* X pub) A y pub *■ P y i fv(p, F) 

T y- p* X pub ► x(y).P E x{y).Q F i- a: pri ► x{y).P ^ Q 

T \- p * X pr\ *■ P Q x^fv(p,F) T\-p*-Pi^Qi 
r \- p *■ new x.P E new x.Q T \- p *■ P1IP2 E Q1IQ2 

p>X^PeT V,p>X^Q^p>P^Q p^p' V^p'^-P^Q 
T^p*-X^P FHpt-recXPcQ T ^ p »■ P ^ Q 

The congruence rule for parallel composition performs public-lifting p' on re- 
source assertions (by replacing pri by pub in the assertion). 

Fixpoint induction is resource-qualified as well. We reason about the body 
P of a recursive definition rec X.P using a hypothetical bound on X as the 
induction hypothesis. That hypothesis, however, is only applicable under the 
same resource assumptions p that were present when it was introduced — 
making p the loop invariant. 

In addition to these resource-sensitive rules, we have the usual laws of 
process algebra, including the expansion law. Combining those laws with the 
ones we have shown, we can derive an interference-free expansion law, as in 
this simplified version: F 1- a; pri a y known *-xy.P\x{z).Q = P\Q{ylz}. 



5 Discussion 

5.1 Future work: richer resources 

Our resource model captures exactly the guarantees provided by the 7r-calculus: 
until a channel is exposed, it is unavailable to the environment; afterwards, all 
bets are off. This property is reflected in the fact that E is not a separation 
algebra, since c pub || c pub can result in c pub or c pri. No amount of public 
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ownership adds up definitively to private ownership. 

Rather than using resources to model the guarantees of a language, we 
can instead use them to enforce guarantees we intend of programs, putting 
ownership "in the eye of the asserter" [14]. We can then recover privacy just 
as Boyland showed [1] how to recover write permissions from read permissions: 
via a fractional model of ownership: Spfj^^c ~ 

Chan ^ [0, 1]. Unlike traditional 
fractional permissions, owning a proper fraction of a channel does not limit 
what can be done with the channel — instead, it means that the environment 
is also allowed to communicate on the channel. The fractional model yields a 
separation algebra, using (bounded) summation for resource addition. An easy 
extension is distinguishing send and receive permissions, so that interference 
can be ruled out in a direction-specific way. 

One can also imagine encoding a session-type discipline [10] as a kind of 
resource: Ssess - Chan ^ SESSION where 

s e Session ::= i.sei.s \ i.s k. i.s \ \.s \ ?.s | end 

Separation of session resources corresponds to matching up dual sessions, and 
actions work by consuming the appropriate part of the session. Ultimately, 
such resource models could yield rely-guarantee reasoning for the 7r-calculus, 
borrowing ideas from deny-guarantee [6]. A challenge for using these models 
is managing the ownership protocol in a logic: how are resources consistently 
attached to channels, and how are resources split when reasoning about paral- 
lel composition? We are far from a complete story, but believe our semantics 
and logic can serve as a foundation for work in this direction. 

5.2 Related work 

Hoare and O'Hearn's work [9] introduced the idea of connecting the model 
theory of separation logic with the vr-calculus, and provided the impetus for 
the work presented here. Their work stopped short of the full yr-calculus, 
modelling only point-to-point communication and only safety properties. Our 
liveness semantics, full abstraction results, and refinement calculus fill out the 
rest of the story, and they all rely on our new resource model. In addition, 
our semantics has clearer connections to both Brookes's action trace model [2] 
and abstract separation logic [5]. 

Previous fully abstract models of the yr-calculus are based on functor cat- 
egories [20,8,7], faithfully capturing the traditional role of scope for privacy 
in the yr-calculus. Those models exploit general, abstract accounts of recur- 
sion, nondeterminism, names and scoping in a category-theoretic setting. We 
have similarly sought connections with a general framework, but have chosen 
resources, separation and locality as our foundation. 

An immediate question is: why do we get away with so much less mathe- 
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matical scaffolding? This question is particularly pertinent in the comparison 
with Hennessy's work [8], which uses a very similar notion of observation. 
Hennessy's full abstraction result is proved by extracting, from his functor- 
categorical semantics, a set of acceptance traces, and showing that this ex- 
traction is injective and order preserving. The force of this "internal full ab- 
straction" is that the functor-categorical meaning of processes is completely 
determined by the corresponding acceptance traces. But note, these traces are 
not given directly via a compositional semantics: they are extracted only after 
the compositional, functor-categorical semantics has been applied. What we 
have shown, in a sense, is that something like acceptance traces for a process 
can be calculated directly, and compositionally, from process syntax. 

Beyond providing a new perspective on the vr-calculus, we believe the 
resource-oriented approach will yield new reasoning techniques, as argued 
above. We have also emphasized concreteness, giving an elementary model 
theory based on sets of traces. 

Finally, it is worth noting that substructural type systems have been used 
to derive strong properties (like confluence) in the vr-calculus [11], just as we 
derived interference-free expansion. Here, we have used a resource theory to 
explain the vr-calculus as it is, rather than to enforce additional discipline. But 
the ideas of §5.1 take us very much into the territory of discipline enforcement. 
More work is needed to see what that territory looks like for the resource-based 
approach. 
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